diff mbox series

fs:exfat fix out of bound bug in __exfat_free_cluster

Message ID 1629987979-6301-1-git-send-email-tcs_kernel@tencent.com (mailing list archive)
State New, archived
Headers show
Series fs:exfat fix out of bound bug in __exfat_free_cluster | expand

Commit Message

Haimin Zhang Aug. 26, 2021, 2:26 p.m. UTC 
From: Haimin Zhang <tcs_kernel@tencent.com>

There is an out of bounds bug in the exfat_clear_bitmap function
in fs/exfat/balloc.c. Because the index of vol_amap array isn't
verified. The function could be called by __exfat_free_cluster
function, and the p_chain->dir variable which could be controlled
by user can be large, that will eventually lead to out of bounds
read. So we should check the index before entering the function.

Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
Signed-off-by: yanzhiqiang <zhiqiangyan@tencent.com>
---
 fs/exfat/fatent.c | 8 ++++++++
 1 file changed, 8 insertions(+)
diff mbox series

Patch

diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index e949e56..5ce524d 100644
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -157,6 +157,7 @@  static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 	struct super_block *sb = inode->i_sb;
 	struct exfat_sb_info *sbi = EXFAT_SB(sb);
 	int cur_cmap_i, next_cmap_i;
+	int chain_i;
 	unsigned int num_clusters = 0;
 	unsigned int clu;
 
@@ -176,6 +177,13 @@  static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 		return -EIO;
 	}
 
+	/* check size */
+	chain_i = BITMAP_OFFSET_SECTOR_INDEX(sb,
+		CLUSTER_TO_BITMAP_ENT(p_chain->size + p_chain->dir));
+	if (chain_i > sbi->map_sectors) {
+		exfat_err(sb, "invalid start size (%u)", p_chain->size);
+		return -EIO;
+	}
+
 	clu = p_chain->dir;
 
 	cur_cmap_i = next_cmap_i =